Can you clarify your question. Are you talking about giving root/Administrator access to someone who doesn't already have it? Or are you talking about admin access in general? Any type of admin usually has the ability to do all sorts of system changes.
–
Eric GSep 13 '13 at 2:52

1 Answer
1

If the task assigned to the staff member is simply to check file permissions not modify them, then a copy of the file system's access control table could be given to the staff member by a more trusted administrator. The staff member could then review the file permissions, independently of the actual access control list. NTFS for example. Directory listing tools and scripts could provide the same information.

If an untrusted staff member needs the root privileges for modification, installation or other activities; I can think of two precautions off-hand:

Backup the computer before giving them access. Revoke access after the work is complete, and then compare the computer against its backup to see what exactly was changed.

Route all console commands through audit logging proxy box that the staff member does not have access to. This way at least the staff member can't pretend they didn't run various suspicious commands. Limited to monitoring non-interactive tools, unless the proxy machine also video logs all screen display and audio.